Received: by 10.192.165.156 with SMTP id m28csp49884imm; Tue, 10 Apr 2018 16:09:35 -0700 (PDT) X-Google-Smtp-Source: AIpwx4+wqkPrSLMUlGZ2cByvLpZ3m4iL3iC+F9VBYkymmcAbYVVM89dfW+wjS0lxLXZwMKqSNzxR X-Received: by 10.98.166.196 with SMTP id r65mr1961451pfl.110.1523401775784; Tue, 10 Apr 2018 16:09:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523401775; cv=none; d=google.com; s=arc-20160816; b=yPC52DbJ/LKYnP81tXEEOXggZbP/YZarQTrKqnhf16g95ryCHXWJhvKCiyEzg6KaUn a/zkKNAsmg/r6PC0XKxdPF+lwPSADhAtI49gR8YIW/S6FYsBfZ+Eu6kNNNLww9d/r9Zw MzlUprbG43J+1bb6OeTmozwpYV1yY7SrUfK2I1+3HbwK46qivuGRKkCk1i1syZBlKplL 1o7+//FeP1cFx33XddG3fEFNlbQI0boePL2fZDBiS7UGG2eEcCKcB8bJF0DQQdTlnf/1 bLaVVk5GAWOc8W0JKOmk6G7eS2M72DL0WBNIvVkQ7UoIAv/swrc6eKtUQoiVFRgCRJ96 HuJA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=i/yjlwbJzQYgtWzstrzij0iLAzvbfw6Co49Gm+5tvoI=; b=i8t/jMsqaVK+9jEUyO8Y1IzcCD/9v7zeCQKK1dCLQm+pWlxFfvWIefnYChI/JOsJK/ pfz12lPaY1Tae13IaBU5+V4qvee8rMkdT23SlOakZfYEe40PiMElizvRD1d9BV80LM59 bTvpOPRzz2oUYwl9N9E2mlEF6YjbB7Zp6HXT/PthUg4ZQB9anEdC8S+IL26dVuNbjbX5 kGlRx6nLKQKEOw1NejSQ0+IDHsNLfN4SgCzqn8SSpWzF6j/2Pa/yS8lmCbpXFS1O5E5s +igGJtXVciWMwcWpjOvp9J9OPYHUPBWCNxkh8t+Byyp2+mEfylnB5G8Yj/DU9+ubru/f jxrw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n7si2503277pga.199.2018.04.10.16.08.59; Tue, 10 Apr 2018 16:09:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932199AbeDJWeu (ORCPT + 99 others); Tue, 10 Apr 2018 18:34:50 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:41860 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932185AbeDJWer (ORCPT ); Tue, 10 Apr 2018 18:34:47 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 22D9CCDB; Tue, 10 Apr 2018 22:34:46 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tobias Brunner , Steffen Klassert , "David S. Miller" , Sasha Levin Subject: [PATCH 4.14 007/138] ipv6: Reinject IPv6 packets if IPsec policy matches after SNAT Date: Wed, 11 Apr 2018 00:23:17 +0200 Message-Id: <20180410212903.008087216@linuxfoundation.org> X-Mailer: git-send-email 2.17.0 In-Reply-To: <20180410212902.121524696@linuxfoundation.org> References: <20180410212902.121524696@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Tobias Brunner [ Upstream commit 09ee9dba9611cd382fd360a99ad1c2fa23bfdca8 ] If SNAT modifies the source address the resulting packet might match an IPsec policy, reinject the packet if that's the case. The exact same thing is already done for IPv4. Signed-off-by: Tobias Brunner Acked-by: Steffen Klassert Signed-off-by: David S. Miller Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- net/ipv6/ip6_output.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- a/net/ipv6/ip6_output.c +++ b/net/ipv6/ip6_output.c @@ -138,6 +138,14 @@ static int ip6_finish_output(struct net return ret; } +#if defined(CONFIG_NETFILTER) && defined(CONFIG_XFRM) + /* Policy lookup after SNAT yielded a new policy */ + if (skb_dst(skb)->xfrm) { + IPCB(skb)->flags |= IPSKB_REROUTED; + return dst_output(net, sk, skb); + } +#endif + if ((skb->len > ip6_skb_dst_mtu(skb) && !skb_is_gso(skb)) || dst_allfrag(skb_dst(skb)) || (IP6CB(skb)->frag_max_size && skb->len > IP6CB(skb)->frag_max_size))